PHI Potentially Compromised Due to Breaches at 3 Healthcare Organizations

Privacy Breach at Harris Health System

Harris Health System based in Houston, TX has informed 2,298 patients about the potential exposure of some of their protected health information (PHI).

On December 30, 2019, two envelopes were delivered to Ben Taub Hospital for scanning and then the information will be archived in the electronic medical record system of Harris Health. However, the envelopes were lost during the delivery process.

The envelopes were comprised of 143 sheets that are thought to have the information of patients who went to Gulfgate Health Center for healthcare services from December 9, 2019 to December 27, 2019. The information contained in the sheets included names, birth dates, addresses, phone numbers, test results, diagnoses, medical insurance data, medical data, provider details, and Social Security numbers.

Because it cannot be determined who were the affected patients, Harris Health System decided to notify all patients potentially affected by the breach. Carolynn R. Jones, Harris Health System’s chief compliance and risk officer, stated that the envelopes included the PHI of about 25 patients.

The employee assigned to transport the envelopes has been given approval. Harris Health System reviewed the policies and procedures for patient data transportation and modified them to stop the same incidents down the road. The health system offered to all potential breach victims free membership to credit monitoring services for 12 months.

Theft of Elk Ridge Dentistry Backup Drive Containing ePHI

The dental practice Elf Ridge Dentistry in Estes Park, CO found out about the theft of a portable hard drive employed for storing backups. A number of items were taken from the dental practice including the hard drive. Elf Ridge Dentistry already reported the incident to law enforcement, however, they have not recovered the hard drive yet.

The dental practice discovered on January 31, 2020 that the information contained in the hard drive included 2,793 patient records listing their names, addresses, birth dates, medical information, X-ray photos, and some Social Security numbers. The hard drive also contained treatment consent forms, emails and referral letters. All patients affected by the theft received free membership to identity theft protection services via ID Experts.

Break-in at Armada Physical Therapy Potentially Exposed PHI

Armada Physical Therapy had a break-in some time on December 19, 2019 at its Menaul Clinic located on Menaul Boulevard in Albuquerque, NM. The company already reported the theft of a server to law enforcement. The investigation is still in progress and the stolen server is not retrieved yet.

It was impossible to know the actual data saved on the server, however, Armada Physical Therapy is certain that intake forms for patients who got treatment before December 4, 2017 were contained in the server. The intake forms of patients who obtained treatment after the specified date were kept in another location.

The information contained in the intake forms included names, addresses, email addresses, phone numbers, Social Security numbers, and insurance numbers. Armada Physical Therapy believes that no financial data was kept on the stolen server. The number of patients impacted by the breach cannot be determined. The breach report sent to the HHS’ Office for Civil Rights shows that about 500 patients were potentially affected.